Audit of an application hosted on a private cloud virtual server
How would you perform an Audit of an application hosted on a private cloud virtual server?
Assign topic to the user
The general approach to performing an audit is:
- define dates, criteria (i.e., the security requirements that need to be evaluated), and audit scope (i.e., the application to be evaluated).
- develop checklists to help you not forget something during the audit (i.e., what needs to be verified to evaluate if the security requirements are being met).
- evaluate the application. At this point, the most common methods are: Inquiry personnel (e.g., users, developers, administrators, etc.); Observation of the application being used; Examination or Inspection of Evidence (e.g., records of previous processing, system logs, etc.); Re-performance (i.e., repeating previous processing to evaluate its results); and use of tools to perform Computer-Assisted Audit Techniques (CAAT).
- elaborate on the audit report which will include the non-compliances and other findings
Considering a cloud environment, you need to clarify the responsibilities for each asset, so you can properly identify who needs to be audited about which asset.
For example, in an IaaS cloud model, the cloud provider is responsible only for the physical structure, while in a PaaS model, the cloud provider is also responsible for the development environment used by application developers, and in a SaaS environment, the cloud provider is also responsible for the applications.
These articles will provide you a further explanation about preparing an audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Comment as guest or Sign in
Aug 10, 2022